Q&A: What exactly is threat intelligence and why do I need it?

With cyber security having been thrust into the mainstream in recent months, 'threat intelligence' has become a bit of a buzzword. However, there are still several misconceptions around this rather ambiguous term.

To shed some light on the subject and clear up what it actually means, we spoke to Pete Shoard, chief architect at SecureData. The full interview can be found below.

1) What does the term ‘threat intelligence’ mean?

Traditionally, ‘intelligence’ is the gathering of relevant information, both open source and probing information, about the subject. In this instance, it’s about a threat, with the main aim being to understand what that threat is and defending or defeating that objective.

Meanwhile, the term ‘threat’ in the context of cyber security describes something or someone looking to damage reputation or steal information or intellectual property. In business terms, the impact may be to affect your ability to do business in a particular sector or area. A threat is related to a risk (i.e. your infrastructure) and is not just a person that attacks you, but the methods and exploits they use to achieve that attack.

Bringing these two terms together in the context of cyber security, threat intelligence means both understanding your adversary, and understanding the tools and techniques they might use, and also understanding your vulnerabilities as a business so that you can correlate these three elements and ascertain ways to reduce your risk of being subject to an attack.

It should be defined as ‘actionable’ or ‘applied’ threat intelligence. It has to be directly relevant to you, otherwise it’s just information.

2) What benefits does threat intelligence provide?

This is a difficult question to answer as it depends entirely on who you are as a business and what assets and infrastructure you have. At its essence, threat intelligence provides you with the ability to ensure your defences are sufficiently weighted towards the threats you are likely to face.

For example, if your biggest threat as a nation state is that someone will attack you by air (because you are an Island), the value of putting up a huge fence is diminished when compared with the value of investing in anti-aircraft guns. So threat intelligence enables you to make that effective decision about where you should place your defences and where you should invest in defences.

The fact is, you can’t defend against all threats all of the time. So you have to direct your resource and your efforts to the things that really matter. To understand what makes a good investment, you need to understand what you have as business that attackers might want to steal, what it’s worth, how their loss would affect your business revenue and the value of the company, and also what attack paths they are most likely to take.

3) How should organisations gather and use threat intelligence?

Organisations can’t buy threat intelligence, only threat information, which they need to transform before they can use it as threat intelligence. Of course, the popular route is choosing a third party provider, who specialise this this arena and should help actually apply this threat intelligence to a business.You should expect to receive remediation actions and consulting advice, rather than having to sift through huge volumes of information and do the intelligence part yourself.

4) What types of threat detection technologies should organisations have in place?

All organisations should have intrusion detection systems (IDS) and intrusion prevention systems (IPS) in place. These appliances enable protection and blocking at the boundary of an organisation and can then feed information and intelligence back to a managed security provider for monitoring purposes.

However, businesses are specialists in their own sectors and areas, so they should really entrust security to someone whose business is security. I wouldn’t recommend any organisation have threat detection technologies in place, apart from those being delivered via a specialist partner.

5) What data should a threat intelligence platform correlate?

A threat intelligence platform should ideally correlate all of the outputs from the major security devices that produce logs across a customer’s estate. It should also take in open source and paid for threat feeds, indicators of compromise, and human intelligence. The latter includes risk information from IT staff, which helps to identify the devices and assets that are the most important or valuable, and HR records – e.g. leavers and joiners records.

When submitting a report, a threat intelligence platform should provide information relating to the organisation’s sector, industry peers and geographic information, so that they can understand whether that threat is directly relevant to them.

6) What are the biggest challenges in utilising threat intelligence today?

There are two key challenges today. The firstis contextualising intelligence – i.e. understanding whether that intelligence is relevant to my business and not just another indicator of compromise that will never effect me.If it does affect me, what is the context of that intelligence: how will it apply to my business, potentially interrupt my business as usual, and what is the net effect on my operation?

The second challenge is the sheer volume of indicators of compromise, which are sent to subscribers in their millions per week. This is a vast sum of data that someone has to Interpret and digest if the business is paying for it. Thus the business has to understand why they need it, how they correlate against it, and where to store it. Indeed, there’s a huge list of things they need to consider, not forgetting of course, the infrastructure and data management platform they’d need to consume that level of data.

There is also a people challenge here too, which is having someone that understands what that data intelligence means to your business. This person must have the expertise and experience to digest the information and ‘humanise’ it.

7) Where should organisations focus threat intelligence investment?

As discussed, threat intelligence is not something you should attempt to buy-in and self-manage. If you are making a threat intelligence investment, it should be in a provider that offers an extensive cloud-based service that is managed on your behalf, and which you can consume on a pay as you grow basis.

Essentially, the experience and expertise needed to use threat intelligence is not something you would find on the open market. This is compounded by the fact there is currently a cyber skills shortage.

Moreover, the majority of threat intelligence reporting services available today cost from £20,000 up to £1 million or more per annum. These deliver vast sums of data that you then have to sift through yourself. We realised early on that threat intelligence must be easy to consume, which is why we launched a threat advisories service that delivers succinct notifications direct to our subscribers’ inboxes.

Ultimately, organisations have been investing in technology for years and are still not winning the battle. This is why they need to consider investing in threat intelligence delivered as a managed detection and assessment service, as this enables them to make better use of the technology they have already deployed and understand where key risks lie.